Re: Oracle Security

From: Thomas J. Kyte <tkyte_at_us.oracle.com>
Date: 1996/11/26
Message-ID: <329b54bd.22191249_at_dcsun4>#1/1

from the server admin guide:

<quote>
Secure Connections with Encrypted Passwords

To better protect the confidentiality of your password, Oracle7 can be configured to use encrypted passwords for client/server and server/server connections.

You can require that the password used to verify a connection always be encrypted by setting the following values:

Set the ORA_ENCRYPT_LOGIN environment variable to TRUE on the client machine.
Set the DBLINK_ENCRYPT_LOGIN server initialization parameter to TRUE.

If enabled at both the client and server, passwords will not be sent across the network “in the clear”, but will be encrypted using a modified DES (Data Encryption Standard) algorithm.

The DBLINK_ENCRYPT_LOGIN parameter is used for connections between two Oracle servers (for example, when performing distributed queries). If you are connecting from a client, Oracle checks the ORA_ENCRYPT_LOGIN environment variable.

Whenever you attempt to connect to a server using a password, Oracle encrypts the password before sending it to the server. If the connection fails and auditing is enabled, the failure is noted in the audit log. Oracle then checks the appropriate DBLINK_ENCRYPT_LOGIN or ORA_ENCRYPT_LOGIN value. If it set to FALSE, Oracle attempts the connection again using an unencrypted version of the password. If the connection is successful, the connection replaces the previous failure in the audit log, and the connection proceeds. To prevent malicious users from forcing Oracle to re–attempt a connection with an unencrypted version of the password, you must set the appropriate values to TRUE. </quote>

So the passwords are encrypted PRIOR to transmission (in the client side).

On Tue, 26 Nov 1996 12:28:09 +0000, Steve Haynes <steve_at_rwx777.demon.co.uk> wrote:

>In article <329620FB.5E21_at_interpath.com>, "Shirley D. Willingham"
><sad_at_interpath.com> writes
>>Does anyone know for sure it the Operator name or password is encrypted
>>when you are signing on at the time of transmission. The file I think is
>>encrypted but I would like to know if the transmission is also encrypted.
>> I cannot seem to get an answer from Oracle manuals or from their
>>documentation. Would like to have an answer.
>I'm not entirely sure abut the details of the question,
>but you might want to checkout secure network services.(SNS)
>--
>Steve Haynes

Thomas Kyte
Oracle Government
tkyte_at_us.oracle.com

http://govt.us.oracle.com

Check out Oracle Governments web site! ----- Follow the link to "Tech Center" and then downloadable Utilities for some free software...

statements and opinions are mine and do not necessarily reflect the opinions of Oracle Corporation Received on Tue Nov 26 1996 - 00:00:00 CET

This message: [ Message body ]
Next message: Cisco: "Re: sql%notfound and NO_DATA_FOUND exceptions."
Maybe in reply to: Shirley D. Willingham: "Oracle Security"
In reply to Steve Haynes: "Re: Oracle Security"
Next in thread: Cisco: "Re: sql%notfound and NO_DATA_FOUND exceptions."

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message